Advisories ยป MGASA-2018-0062

kernel update provides 4.14 series and fixes security vulnerabilities

Publication date: 06 Jan 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-0786 , CVE-2017-0861 , CVE-2017-7518 , CVE-2017-12188 , CVE-2017-12190 , CVE-2017-12193 , CVE-2017-13080 , CVE-2017-15115 , CVE-2017-15265 , CVE-2017-15299 , CVE-2017-16939 , CVE-2017-16994 , CVE-2017-16995 , CVE-2017-16996 , CVE-2017-17741 , CVE-2017-17852 , CVE-2017-17853 , CVE-2017-17854 , CVE-2017-17855 , CVE-2017-17856 , CVE-2017-17857 , CVE-2017-17862 , CVE-2017-17863 , CVE-2017-17864 , CVE-2017-18344 , CVE-2017-1000407

Description

This kernel update provides an upgrade to the 4.14 longterm branch,
currently based on 4.14.10. It also fixes at least the following
security issues:

An elevation of privilege vulnerability in the Broadcom wi-fi driver
(CVE-2017-0786).

Use-after-free vulnerability in the snd_pcm_info function in the ALSA
subsystem in the Linux kernel allows attackers to gain privileges via
unspecified vectors (CVE-2017-0861).

Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM)
support is vulnerable to an incorrect debug exception(#DB) error. It
could occur while emulating a syscall instruction. A user/process
inside guest could use this flaw to potentially escalate their
privileges inside guest. Linux guests are not affected.(CVE-2017-7518).

arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested
virtualisation is used, does not properly traverse guest pagetable
entries to resolve a guest virtual address, which allows L1 guest OS
users to execute arbitrary code on the host OS or cause a denial of
service (incorrect index during page walking, and host OS crash), aka
an "MMU potential stack buffer overrun" (CVE-2017-12188).

The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the
Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O
vector has small consecutive buffers belonging to the same page. The
bio_add_pc_page function merges them into one, but the page reference
is never dropped. This causes a memory leak and possible system lockup
(exploitable against the host OS by a guest OS user, if a SCSI disk is
passed through to a virtual machine) due to an out-of-memory condition
(CVE-2017-12190).

The assoc_array_insert_into_terminal_node function in lib/assoc_array.c
in the Linux kernel before 4.13.11 mishandles node splitting, which allows
local users to cause a denial of service (NULL pointer dereference and
panic) via a crafted application, as demonstrated by the keyring key type,
and key addition and link creation operations (CVE-2017-12193).

Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group
Temporal Key (GTK) during the group key handshake, allowing an attacker
within radio range to replay frames from access points to clients
(CVE-2017-13080).

The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel
before 4.14 does not check whether the intended netns is used in a
peel-off action, which allows local users to cause a denial of
service (use-after-free and system crash) or possibly have unspecified
other impact via crafted system calls (CVE-2017-15115).

Race condition in the ALSA subsystem in the Linux kernel before 4.13.8
allows local users to cause a denial of service (use-after-free) or
possibly have unspecified other impact via crafted /dev/snd/seq ioctl
calls, related to sound/core/seq/seq_clientmgr.c and 
sound/core/seq/seq_ports.c (CVE-2017-15265)

The KEYS subsystem in the Linux kernel through 4.13.7 mishandles use of
add_key for a key that already exists but is uninstantiated, which allows
local users to cause a denial of service (NULL pointer dereference and
system crash) or possibly have unspecified other impact via a crafted
system call (CVE-2017-15299).

The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux
kernel before 4.13.11 allows local users to gain privileges or cause a
denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt
system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages
(CVE-2017-16939).

The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel
before 4.14.2 mishandles holes in hugetlb ranges, which allows local
users to obtain sensitive information from uninitialized kernel memory
via crafted use of the mincore() system call (CVE-2017-16994).

The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel
through 4.14.8 allows local users to cause a denial of service (memory
corruption) or possibly have unspecified other impact by leveraging
incorrect sign extension (CVE-2017-16995).

kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local
users to cause a denial of service (memory corruption) or possibly have
unspecified other impact by leveraging register truncation mishandling
(CVE-2017-16996).

The KVM implementation in the Linux kernel through 4.14.7 allows attackers
to obtain potentially sensitive information from kernel memory, aka a
write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c
and include/trace/events/kvm.h (CVE-2017-17741).

kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local
users to cause a denial of service (memory corruption) or possibly have
unspecified other impact by leveraging mishandling of 32-bit ALU ops
(CVE-2017-17852).

kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local
users to cause a denial of service (memory corruption) or possibly have
unspecified other impact by leveraging incorrect BPF_RSH signed bounds
calculations (CVE-2017-17853).

kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local
users to cause a denial of service (integer overflow and memory
corruption) or possibly have unspecified other impact by leveraging
unrestricted integer values for pointer arithmetic (CVE-2017-17854).

kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local
users to cause a denial of service (memory corruption) or possibly have
unspecified other impact by leveraging improper use of pointers in
place of scalars (CVE-2017-17855).

kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local
users to cause a denial of service (memory corruption) or possibly
have unspecified other impact by leveraging the lack of stack-pointer
alignment enforcement (CVE-2017-17856).

The check_stack_boundary function in kernel/bpf/verifier.c in the Linux
kernel through 4.14.8 allows local users to cause a denial of service
(memory corruption) or possibly have unspecified other impact by
leveraging mishandling of invalid variable stack read operations
(CVE-2017-17857).

kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores
unreachable code, even though it would still be processed by JIT
compilers. This behavior, also considered an improper branch-pruning
logic issue, could possibly be used by local users for denial of
service (CVE-2017-17862).

kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not
check the relationship between pointer values and the BPF stack, which
allows local users to cause a denial of service (integer overflow or
invalid memory access) or possibly have unspecified other impact
(CVE-2017-17863).

kernel/bpf/verifier.c in the Linux kernel before 4.14 mishandles
states_equal comparisons between the pointer data type and the
UNKNOWN_VALUE data type, which allows local users to obtain potentially
sensitive address information, aka a "pointer leak" (CVE-2017-17864).

The timer_create syscall implementation in kernel/time/posix-timers.c
in the Linux kernel before 4.14.8 doesn't properly validate the
sigevent->sigev_notify field, which leads to out-of-bounds access in
the show_timer function (called when /proc/$PID/timers is read).
This allows userspace applications to read arbitrary kernel memory
(on a kernel built with CONFIG_POSIX_TIMERS and
CONFIG_CHECKPOINT_RESTORE)(CVE-2017-18344).

The Linux Kernel 2.6.32 and later are affected by a denial of service,
by flooding the diagnostic port 0x80 an exception can be triggered
leading to a kernel panic (CVE-2017-1000407).

This update also adds support for WireGuard VPN.

For other changes in this update, read the referenced changelogs.
                

References

SRPMS

6/core